Things you should know (TYSK) – VCSA and AD Authentication
Since I started using the Virtual Center Server Appliance (VCSA) I noticed a strange behaviour which I didn’t understand in the beginning. When using the WebClient or the C# Client and selected “Use Windows session credentials” I got the following error message:
vSphere Web Client
The authentication server returned an unexpected error: ns0:RequestFailed: IDM threw unexpected error during authentication :: Native platform error [code: 1213][ERROR_INVALID_SERVICENAME][]. The error may be caused by a malfunctioning identity source.
vSphere Client
But when I didn’t select “Use Windows session credentials” and used instead the same user name and password, Windows session credentials would be using, I was able to login.
Following shows my SSO identity source configuration which looks good.
When I searched for the problem I came across a Microsoft article which describes what Kerberos Authentication is and which leaded me to the problem.
By design when we select ‘Use Windows Session Credentials’ respective user name and password is sent to vCenter using Kerberos authentication protocol which works only when both Client and Server are joined to a common domain.
I checked the settings for AD Authentication and my VCSA was not joined to the domain.
After joining the appliance to my domain, everything works as expected.